Forgot your password?

Close
typodupeerror

+ - Weezer Tune Used To Knock Out Implanted Defibrillators ->

Submitted by chicksdaddy
chicksdaddy writes "Listening to Weezer could kill you. Literally. That’s the conclusion of an unusual experiment by university researchers who used a snippet from the 90s alternative rock band’s “Island in the Sun” as the basis for EMI (electromagnetic interference) attacks designed to overwhelm implanted heart defibrillators or even trick them into firing. (No. Seriously.) According to The Security Ledger, the Weezer-based attack is described in a paper (https://spqr.eecs.umich.edu/papers/fookune-emi-oakland13.pdf) presented on Monday at The Annual IEEE Symposium on Security and Privacy in Oakland, California. In it, the researchers describe EMI attacks on analog sensors used in implanted hear defibrillators by Medtronic, Boston Scientific and St. Jude. In tests, the researchers showed that – under ideal circumstances (that is: open air) – electromagnetic impulses could disrupt the ability of the device to accurately operation of the device, and even prompt it to induce defibrillation shocks from a distance of one- to two meters. However, the effectiveness of EMI attacks was reduced drastically under conditions that simulate implantation in the human body, where attack ranges were reduced to between 3-5cm. Still, researchers have proposed more shielding features for implantable defib devices and features to filter out EMI based attacks designed to mimic heart attacks."
Link to Original Source

+ - Is PayPal Enabling DDoS attacks?->

Submitted by itwbennett
itwbennett writes "From the article: 'Speaking at The Security B-Sides Boston security conference on Saturday, independent researchers Allison Nixon and Brandon Levene said that their investigation of booter sites found that many rely on legitimate online services, including Paypal to accept payment on behalf of customers interested in attacking web sites they do not own, and Cloudflare, a DDoS prevention service.'"
Link to Original Source

+ - Future Promises More Drones, More Drone Hacks->

Submitted by chicksdaddy
chicksdaddy writes "The “consumerization” of UAV technology has created a lot of opportunities for Cool! — like this video of a UAV flying over (and almost in to) Niagra Falls (http://www.youtube.com/watch?v=jMHr6LQhTRE). But it has also led to some problems. In March, a UAV “quadrcopter” came within a couple hundred feet of striking an Alitalia flight trying to land at JFK Airport in New York. More concerning: the FAA is set to license tens of thousands of drones for use over the U.S., many by law enforcement or private security firms. (https://www.eff.org/document/timeline-domestic-drone-integration).That has prompted warnings about a huge breach of privacy for U.S. citizens.
But a security researcher warns that snooping is only part of the problem. Speaking at The Security B-Sides event in Boston, Andrew Clare, a doctoral candidate at MIT’s Humans and Automation Lab (HAL), told an audience of security experts that the same economic pressures that drive UAV adoption will hinder the security of UAVs, leaving many susceptible to hacking and manipulation, as well as data loss."
Link to Original Source

+ - NHTSA Calls For Better Vehicle Cyber Security->

Submitted by chicksdaddy
chicksdaddy writes "The U.S. Government’s lead agency for vehicle safety has told Congress that more research into “vehicle cyber security” to address the threats to drivers from cyber attacks that could "remotely compromise vehicle security through software and the increased onboard communications services."

In testimony before Congress on Thursday, David Strickland, the chief Administrator for the National Highway Traffic Safety Administration (NHTSA) told a Senate Committee that the electronics systems are “critical to the functioning” of modern autos and are becoming increasingly interconnected, leading to “different safety and cyber security risks.” The agency is requesting $2 million in the 2014 budget to research “vehicle electronics and emerging technologies” with an eye to developing requirements for the safety and reliability of vehicle controls."
Link to Original Source

+ - New Search Engine Peers Inside Binaries->

Submitted by chicksdaddy
chicksdaddy writes "The Security Ledger reports that researchers at The University of Cambridge in the UK have created a Google-like search engine that can peer inside applications, analyzing their underlying code. The search engine, dubbed "Rendezvous" (http://www.rendezvousalpha.com/) was unveiled in a seminar on Tuesday by Wei Ming Khoo, a doctoral student in the Security Group working at the University of Cambridge’s Computer Laboratory. It allows users to submit a binary, which is then parsed and compared against a library of code harvested from open source projects across the Internet. Rendezvous has a number of applications. For example, it could be used to help reverse engineer potentially malicious files, copyright enforcement or to find evidence of plagiarism within applications, according to a blog post by Ross Anderson (http://www.lightbluetouchpaper.org/2013/05/14/a-search-engine-for-code/), a Professor of Security Engineering at the Laboratory."
Link to Original Source

+ - OSINT Tool Lets You Gather Facebook User Profiles And Phone Numbers By Area Code->

Submitted by chicksdaddy
chicksdaddy writes "We all know that Facebook Graph Search is going to be a privacy nightmare (http://actualfacebookgraphsearches.tumblr.com/). But one person's nightmare is another's wet dream — notably: social engineers, penetration testers and stalkers. Meet Facebook Harvester, a new module for Recon-ng an open source web reconnaissance framework that allows anyone with a Facebook Developer account to harvest phone numbers associated with Facebook user accounts, The Security Ledger reports.

Harvester allows Recon-ng uses to query the Graph Search API directly for phone number information. It enables brute force searching by partial phone numbers, including area code, area code + exchange or the last four digits, according to a blog post by Rob Simon (@_Kc57), a Canton, Ohio- based security professional, who wrote about Harvester on his personal blog. (http://kc57.com/facebook-osint-module-for-recon-ng/). In one powerful example of Graph Search’s capabilities, Simon entered just an area- and exchange code, returning a list of names, Facebook usernames and account profiles, gender and full phone numbers in that area.

There are some limitations to the Facebook Harvester module, to be sure. It is a proof-of-concept and only useful for gathering phone numbers. The plug-in also requires an active authentication token from Facebook to work. Those are issued from Facebook’s developer site and only last for about an hour, though Simon says he has discovered a means to bypass the limits put on the Graph API.

A Facebook spokesman said there are other protections — including limits on the number of queries to the API. Besides: tools like Harvester are a violation of Facebook's Terms of Use, which require company permission to do any "scraping" or automated crawling of user accounts."
Link to Original Source

+ - Wifi Enabled Medical Devices May Be Used As Backdoors, DHS Warns->

Submitted by chicksdaddy
chicksdaddy writes "A bulletin published by the Department of Homeland Security has warned that the increasing use of wireless networking technology to enable medical devices expands the ways that those devices could be hacked.

The bulletin, published May 4 by DHS’ National Cybersecurity and Communications Integration Center, warns that advances in medical devices, including Internet connectivity and the use of smartphones, tablets and other mobile devices in patient care “expands the attack surface” of medical devices.

“The expanded use of wireless technology on the enterprise network of medical facilities and the wireless utilization of (medical devices) opens up both new opportunities and new vulnerabilities to patients and medical facilities,” DHS said.

Beyond exposing patient data to attacks, smartphones, tablets and IP enabled medical gear can also be gateways for attacks on medical infrastructure, DHS warned.

“Since wireless medical devices are now connected to Medical information technology (IT) networks, IT networks are now remotely accessible through the medical devices. This may be a desirable development, but the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern.”"
Link to Original Source

+ - Fitbitten: Researchers Exploit Health Monitor To Earn Workout Rewards->

Submitted by chicksdaddy
chicksdaddy writes "Wireless personal health and fitness monitoring devices like Nike Fuelband, Jawbone Up and Fitbit are all the rage. But you'll be shocked — shocked! to learn that many of these devices do a poor job of securing the data stored and transmitted between the devices and (usually) web based management and tracking systems.

The latest evidence of this comes from a team of three researchers from Florida International University in Miami who analyzed the Fitbit health monitoring device and found several, exploitable vulnerabilities that could allow malicious hackers to hijack Fitbit users' accounts, access or even manipulate their personal health data to earn prizes and monetary rewards.

The report, published last month and available for download from Cornell University's arXiv.org (http://arxiv.org/pdf/1304.5672v1.pdf), found that exploitable holes in the Fitbit device, the companion web-based software and the communications protocol used to exchange data between the two was an example of the "careless integration of health data into social networks" that was "fraught with privacy and security vulnerabilities."

Researchers, Mahmudur Rahman, Bogdan Carbunar, Madhusudan Banik at Miami International's School of Computing and Information Sciences reverse engineered the Fitbit communication protocol, storage details and operation codes. In the process they identified several exploitable vulnerabilities in the Fitbit software and built FitBite, a suite of tools that exploit these vulnerabilities to launch a wide range of attacks, including eavesdropping, injection and denial of service attacks.

Security Ledger has the full report here: http://securityledger.com/fitbitten-researchers-exploit-health-monitor-to-earn-workout-rewards/"
Link to Original Source

+ - Arrested In Spain, Cyberbunker Chief Claims Diplomatic Immunity->

Submitted by chicksdaddy
chicksdaddy writes "Spanish authorities arrested a 35 year-old Dutch man believed responsible for denial of service attacks against Spamhaus, a spam blacklist operation. In a statement on Sunday, the Spanish Ministry of the Interior released a statement saying that National Police agents arrested the man responsible for the attacks in response to a European arrest warrant stemming from an investigation begun by Dutch authorities. The suspect was not named, but was described as a 35 year-old from Alkmaar (Netherlands) who was apprehended while traveling in a van equipped with computer equipment and a range of antennas and used as a mobile office.

The man is believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker. According to the Spanish Ministry of the Interior, he claimed to be a diplomat at the time of his arrest, claiming the title of Minister of Telecommunications and Foreign Affairs of the Republic of Cyberbunker."
Link to Original Source

+ - MPAA Executive Tampers With Evidence In Piracy Case->

Submitted by Anonymous Coward
An anonymous reader writes "TorrentFreak reports on an internet piracy case from Finland, which saw four men found guilty and fined €45,000. During the trial, the defense attorney took note of inconsistencies in log files used as evidence against the men. An investigator for international recording industry organization IFPI revealed after questioning that the files had been tampered with. He said an MPAA executive was present when the evidence gathering took place, and altered the files to hide the identity of 'one of their spies.' 'No one from the MPAA informed the defense that the edits had been made and the tampering was revealed at the worst possible time – during the trial. This resulted in the prosecutor ordering a police investigation into the changes that had been made. "Police then proceeded by comparing the 'work copy' that the IFPI investigator produced with the material that police and the defending counsels had received. Police found out that the material had differences in over 10 files," Hietanen reveals.'"
Link to Original Source

+ - Root On 13K Devices: Misconfigured Serial Port Servers Expose Critical Systems->

Submitted by chicksdaddy
chicksdaddy writes "A survey conducted by the firm Rapid7 has found evidence that widespread vulnerabilities and insecure configuration of ubiquitous networking components known as serial port (or “terminal”) servers expose a wide range of critical assets to remote, unauthenticated access – including point of sale terminals, ATMs and industrial control systems. (https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers)

In the survey, over 114,000 unique IPs were identified, the vast majority manufactured by one company: Digi International (http://www.digi.com/).

The vulnerable devices uncovered include those connecting retail point-of-sale systems at a national chain of dry cleaners and providing direct access to employee terminals from which customer payment information could be accessed. Other exposed systems were used to monitor the location of cargo containers, train cargo as well as HVAC and industrial control systems, Rapid7 said.

“The results were pretty scary,” Moore wrote. “Authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors.”

Moore’s analysis uncovered 13,000 serial port servers that, when accessed, provided unauthenticated access to root shells, system consoles, and administrative interfaces. Many of those had been hijacked by attackers using TCP or proprietary protocols after a valid user had authenticated to the device, then let the session fall idle. “These attacks a straight forward, but obscure,” Moore told The Security Ledger."
Link to Original Source

+ - 'Focus Aware Marketing' Startup Helped Identify The Boston Bombers->

Submitted by chicksdaddy
chicksdaddy writes "There was lots of buzz this week about how Redditors and 4Chan were crowdsourcing the identity of the Boston Marathon bombers. In the end though, those efforts didn't amount to much. Sure, the collective eyeballing and Google dorking of the Internet masses yielded some clues — once images of the bombers had been released. Folks identified the brand of clothing worn by the suspects, as well as new and unseen photos of the two at the scene of the bombing.

Mostly, though, they sowed chaos and confusion, accelerating the spread of inaccurate information and fingering innocent spectators as possible bombers. None of the “suspects” singled out by crowdsourced analysis as “suspicious” are believed to have played a role in the attack.

So how did authorities pick out the two bombers to begin with? That was accomplished, in no small part, with technology by the startup firm CrowdOptic (http://crowdoptic.com), a purveyor of what it describes as “focus-based services.”

CrowdOptic's software correlates geospatial and compass data from smart devices and combine that with photos and other metadata (i.e.photo EXIF information) associated with images. Built in analytics then use triangulation and other algorithms to identify “points of focus” in a crowd.
“Send me 100k images of the Super Bowl and in 1 second (of) server time I can send you the picture/s containing (for example) the halftime show wardrobe malfunction representing the most views,” CEO Jon Fisher told The Security Ledger back in October.

With the Boston bombings, CrowdOptic’s technology played a key role in helping authorities to sift through the photo evidence and metadata collected from the bombing scene. (http://technorati.com/technology/article/crowdsourcing-approach-leads-to-arrest-of/) In that situation, the bombs’ locations acted as a magnet for all other photos containing bomb location in the photographs of the area before and after the explosions. CrowdOptic’s technology was used to piece together that visual information and give investigators a time lapse not just of the scene, but of people who could have captured an image of the points of interest – even from some distance. That’s information that wouldn’t show up just by collecting geospatial data of those around the bombing site at the time of the blast. That, in turn, quickly revealed the figures of the alleged bombers: Dzhokhor A. Tsarnaev, 19 and his older brother, Tamerlan Tsarnaev, 26."
Link to Original Source

+ - iOS has 93% of mobile vulnerabilities, Android has 95% of the Malware. Why?->

Submitted by chicksdaddy
chicksdaddy writes "Symantec Corp.’s Internet Security Threat Report (ISTR) for 2012 was released on Tuesday (http://www.symantec.com/security_response/publications/threatreport.jsp). Buried among the data on targeted attacks and data breaches is some very interesting data on mobile vulnerabilities and malware. Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 – more than 95%)- targeted Android devices. Just one mobile threat targeted Apple’s iOS operating system during the same period.

If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true. It’s Apple’s iOS that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, iOS, Blackberry, Windows Mobile and the like. iOS accounted for 387 of 415 documented vulnerabilities across all mobile platforms – a bit more than 93 percent, found.

What gives? A blog over at Veracode suggests that Google may have something of a "broken windows" problem, much like the problems experienced by urban areas in the U.S. during the 1960s and 70s.

"Google is making the mistakes of urban police forces and politicians in the 1960s and 70s, when crime rates took off," the blog post argues: failing to create barriers to crime and turning a blind eye to what perceive as small and inconsequential security incidents, infractions and abuses. That lax security is attracting the attention of those inclined to do ill, but wary of getting caught.""
Link to Original Source

+ - ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices->

Submitted by chicksdaddy
chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the Federal Government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets "defective and unreasonably dangerous."

The civil liberties group’s complaint for injunctive relief with the FTC (http://www.aclu.org/files/assets/aclu_-_android_ftc_complaint_-_final.pdf), notes that “major wireless carriers have sold millions of Android smartphones to consumers” but that “the vast majority of these devices rarely receive software security updates.” The ACLU says that carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to” third parties.

“A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners,” the ACLU said.

Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 16% of Android users running Versions 4.1 or 4.2 – the latest versions of the OS, dubbed “Jelly Bean” more than six months after its release. In contrast, 44% of Android users are still running the “Gingerbread” release – Versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities. This according to data released by Google on the Android developer blog."
Link to Original Source

Comment: Update: He'll work in Motorola Mobility ATAP Unit (Score 3, Interesting) 30

by chicksdaddy (#43451759) Attached to: DARPA Cyber Chief "Mudge" Zatko Going To Google
Update courtesy of Google: Mudge will be working in Motorola Mobility's Advanced Technology & Projects (ATAP). From the web: "The group's mission is to deliver breakthrough innovations to the company's product line on seemingly impossible short timeframes. ATAP is skunkworks-inspired. Optimized for speed. Small, lean, resourced. With agility, freedom from bureaucratic constraints, and a willingness to embrace risk as core attributes." Hmm...sounds kinda like DARPA! ;-)

No problem is so formidable that you can't just walk away from it. -- C. Schulz

Close